<html>
<head><meta charset="utf-8"><title>YAML for RustSec advisories · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/YAML.20for.20RustSec.20advisories.html">YAML for RustSec advisories</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="210799843"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/YAML%20for%20RustSec%20advisories/near/210799843" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/YAML.20for.20RustSec.20advisories.html#210799843">(Sep 21 2020 at 21:05)</a>:</h4>
<p>Following up on <a href="https://github.com/RustSec/advisory-db/issues/240">https://github.com/RustSec/advisory-db/issues/240</a><br>
<span class="user-mention" data-user-id="132721">@Tony Arcieri</span> I'm sorry I'm speaking up so late, it has slipped under my radar. I have to interact with YAML in my day job, and this led me to despise the format with a fiery passion. It looks simple and easy on the surface, but it's a rabbit hole of pitfalls in practice. TOML by contrast is immensely refreshing by virtue of being _actually_ simple and straightforward.</p>



<a name="210799989"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/YAML%20for%20RustSec%20advisories/near/210799989" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/YAML.20for.20RustSec.20advisories.html#210799989">(Sep 21 2020 at 21:06)</a>:</h4>
<p>Oh, it doesn't use YAML. It uses TOML.</p>



<a name="210800003"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/YAML%20for%20RustSec%20advisories/near/210800003" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/YAML.20for.20RustSec.20advisories.html#210800003">(Sep 21 2020 at 21:06)</a>:</h4>
<p>Whew</p>



<a name="210800018"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/YAML%20for%20RustSec%20advisories/near/210800018" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/YAML.20for.20RustSec.20advisories.html#210800018">(Sep 21 2020 at 21:06)</a>:</h4>
<p><a href="https://github.com/RustSec/rustsec-crate/pull/167">https://github.com/RustSec/rustsec-crate/pull/167</a></p>



<a name="210800034"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/YAML%20for%20RustSec%20advisories/near/210800034" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/YAML.20for.20RustSec.20advisories.html#210800034">(Sep 21 2020 at 21:07)</a>:</h4>
<p>it moves the existing TOML into Markdown frontmatter</p>



<a name="210800085"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/YAML%20for%20RustSec%20advisories/near/210800085" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/YAML.20for.20RustSec.20advisories.html#210800085">(Sep 21 2020 at 21:07)</a>:</h4>
<p>How widely said frontmatter is actually supported?</p>



<a name="210800245"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/YAML%20for%20RustSec%20advisories/near/210800245" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/YAML.20for.20RustSec.20advisories.html#210800245">(Sep 21 2020 at 21:08)</a>:</h4>
<p>pretty much any Markdown parser should support it (including GitHub)</p>



<a name="210800278"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/YAML%20for%20RustSec%20advisories/near/210800278" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/YAML.20for.20RustSec.20advisories.html#210800278">(Sep 21 2020 at 21:08)</a>:</h4>
<p>(see linked issue)</p>



<a name="210800319"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/YAML%20for%20RustSec%20advisories/near/210800319" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/YAML.20for.20RustSec.20advisories.html#210800319">(Sep 21 2020 at 21:09)</a>:</h4>
<p>So if I only want the machine-readable bits, do I split everything by \n``` and that's it?</p>



<a name="210800347"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/YAML%20for%20RustSec%20advisories/near/210800347" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/YAML.20for.20RustSec.20advisories.html#210800347">(Sep 21 2020 at 21:09)</a>:</h4>
<p>it's mostly just moving the description in the Markdown out-of-band from the rest of the advisory</p>



<a name="210800394"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/YAML%20for%20RustSec%20advisories/near/210800394" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/YAML.20for.20RustSec.20advisories.html#210800394">(Sep 21 2020 at 21:09)</a>:</h4>
<p>which among other things will make it possible to review the Markdown-rendered description as part of a PR</p>



<a name="210800431"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/YAML%20for%20RustSec%20advisories/near/210800431" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/YAML.20for.20RustSec.20advisories.html#210800431">(Sep 21 2020 at 21:09)</a>:</h4>
<p>And as part of the repo as well, which might also be beneficial</p>



<a name="210800456"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/YAML%20for%20RustSec%20advisories/near/210800456" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/YAML.20for.20RustSec.20advisories.html#210800456">(Sep 21 2020 at 21:10)</a>:</h4>
<p>yeah</p>



<a name="210800531"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/YAML%20for%20RustSec%20advisories/near/210800531" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/YAML.20for.20RustSec.20advisories.html#210800531">(Sep 21 2020 at 21:10)</a>:</h4>
<p>I see. Thanks and sorry for the ping, I should have looked further into this</p>



<a name="210800557"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/YAML%20for%20RustSec%20advisories/near/210800557" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/YAML.20for.20RustSec.20advisories.html#210800557">(Sep 21 2020 at 21:10)</a>:</h4>
<p>I saw the mention of YAML and panicked</p>



<a name="210800584"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/YAML%20for%20RustSec%20advisories/near/210800584" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/YAML.20for.20RustSec.20advisories.html#210800584">(Sep 21 2020 at 21:10)</a>:</h4>
<p>hahaha yeah</p>



<a name="210800630"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/YAML%20for%20RustSec%20advisories/near/210800630" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/YAML.20for.20RustSec.20advisories.html#210800630">(Sep 21 2020 at 21:11)</a>:</h4>
<p>YAML frontmatter is definitely more widely supported but I also hate YAML <span aria-label="wink" class="emoji emoji-1f609" role="img" title="wink">:wink:</span></p>



<a name="211368054"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/YAML%20for%20RustSec%20advisories/near/211368054" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/YAML.20for.20RustSec.20advisories.html#211368054">(Sep 26 2020 at 16:29)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> speaking of breaking changes in the RustSec format - CVE allows several references for more info, while RustSec only allows one. Is that a deliberate design decision?</p>



<a name="211368146"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/YAML%20for%20RustSec%20advisories/near/211368146" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/YAML.20for.20RustSec.20advisories.html#211368146">(Sep 26 2020 at 16:31)</a>:</h4>
<p>no, we could make it support multiple links</p>



<a name="211368383"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/YAML%20for%20RustSec%20advisories/near/211368383" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/YAML.20for.20RustSec.20advisories.html#211368383">(Sep 26 2020 at 16:36)</a>:</h4>
<p>It could be seen as a feature because CVE links are usually rather useless, while links in RustSec tend to lead to something informative.</p>



<a name="211368760"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/YAML%20for%20RustSec%20advisories/near/211368760" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/YAML.20for.20RustSec.20advisories.html#211368760">(Sep 26 2020 at 16:44)</a>:</h4>
<p>we can probably add it in a non-breaking way already</p>



<a name="211368773"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/YAML%20for%20RustSec%20advisories/near/211368773" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/YAML.20for.20RustSec.20advisories.html#211368773">(Sep 26 2020 at 16:45)</a>:</h4>
<p>One primary URL plus a bunch of "references" URLs might be a good model</p>



<a name="211368777"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/YAML%20for%20RustSec%20advisories/near/211368777" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/YAML.20for.20RustSec.20advisories.html#211368777">(Sep 26 2020 at 16:45)</a>:</h4>
<p>yeah exactly</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>